Hi,
Does anyone have any experience they can share with free/cheap obfuscation tools for .net web projects. More than just string replacement, would be good.
Bascically my friend may be looking to do some work to host on external site and wants to ensure code is at least one step away from one-click decompile as view code.
I found a few but to suggest, but wanted to see what response there way from throwing out a blanket question.
Thanks
Don't know how secure it is, but some code I had still worked after using:
http://www.foss.kharkov.ua/g1/projec...t/Default.aspx
throw new ArgumentException (String, String, Exception)
LogicNP - Please contact HEXUS for details of advertising rates (DH, ModSquad)
Last edited by g8ina; 09-08-2012 at 10:24 AM. Reason: removed details of OP's own product range
Is it for visibility from external users (people who request the page)? If so you don't need oneOriginally Posted by ali73
Unless you put code in the page in a code block (I assume the Web project is ASP.Net/MVC) the code is hidden and if you configure the server correctly they can't view the code pages, especially if it's published (the code behind goes into a bin folder which can't be navigated to as a special folder)
If it's to stop the client decompiling it...
If it isn't be sure to compile + obfuscate using the tool as suggested, I think redgate/telerik offer solutions and they are known brands, be sure to check it with Reflector/justdecompile (reflector is paid for now but justdecompile is free) and pop in a few parts that throw issues for them so it doesn't work
I have to echo fin's question in asking why it's thought necessary. If it's just his own site that he's hosting then the only way someone would get hold of the compiled DLLs or source code is by hacking the server; if it's professional work for a client then what's the justification behind obfuscating it?
Also, exactly how many trade secrets does he think he knows to make it worth obfuscation? There's so much free source code, samples and tutorials for .net available that, unless he's doing something particularly niche, I don't see why anyone would go to the bother of a) obtaining the binaries/source, and b) spend time decompiling and reviewing the code. Perhaps he's looking for a solution to a problem that doesn't really exist?
Professionally I have only had to obfuscate code twice (clients taking their work to host elsewhere), on a personal level... never
If it's on the side work, unless there is some complex algorithm, licencing system or it makes calls using privaledged information (in which case they should never get full stop) there is no reason to make it harder to read
Again obfuscation doesn't mean it can't be decompiled, far from it in fact. It's just made harder to read. To think they are in a situation to have something worth that much to someone else is a little pie-in-the-sky. If they do in fact have that something with such high value.... people will find a way to get it
directhex (12-08-2012)
Hi Finlay666,
Thanks for your input.
It's to stop the client decompiling it, not sure about telerik but I think he's already used some RedGate softare.. so he might look into that.
As much as we'd like to believe we live in a world where hacking servers doesn't happen.... I'm sure he believes otherwise.
It's not for us to judge the worth of someones "trade secrets"! at the end of the day he/she has put hard work into something and rather not make it easier for someone else to lift it.
The binaries are going to be on someone elses server, and he hopes to be paid for his work if the code proves itself. I've known a few people who have taken .net code and put it through a decompiler to and view the source. Then nicked it for their own apps, why rebuild the wheel when you can use someone elses code.
Sure there are free samples, tutorials out there, but how many people would want to build something from scratch.. if an easier opportunity presented itself. I'm not saying his Client is a thief, just doesn't make sense to just 'hand it over' before getting paid. it's not just the code aspect it's the time taken to think through the problems and design the solution also.
During my first six months of coding .net I saw a guy, decomple a DLL to extract a password (or something) and with a smirk on his faced turned to us and said "Why would ANYONE not bother securing their code?". After seeing that I would think it would be pretty a daft thing not to even bother a least giving someone a slope to climb. If they do manage to get your code good on them they've earned it!
In summary, I'm not looking to judge his decision... I know he has his reasons, simply wondering if anyone has used any tools and give some feedback.
RedGate make Reflector, it was originally a free .Net decompiler (the best, IMO) but then they made it a paid for solution, so I started looking elsewhere
Telerik made JustDecompile as a free solution, there are others available, they aren't especially hard to find, places like StackOverflow have a number of people giving their views on which is best
You can, if you are so inclined, even write your own utilising either the reflection classes in .Net (useful for working dynamically), although many (inc directhex I believe) see the Mono.Cecil library as a superior library
Because people like that become very good at using search engines and little else, it also makes code harder to maintain if changes are to be made because they don't understand it, same for extending the code
Indeed, but my point was more that if the servers do get hacked he'll have bigger worries than whether his code was obfuscated or not!
Fair enough, you're probably not in a position to need to judge his decision. But in trying to give good advice, I am. If the risks associated with not obfuscating the code are (as they appear on the surface) very low, then it probably isn't worth investing time (and potentially money) in a solution. So I need to ask why - in order to make sure I'm giving good advice.
It's been a while since I last spoke, but he spent good deal of time on it (and that was before I posted the question).
What I remember is this Client (amongst a few others) was a trial user, free access to app as long as he get bugs sorted out.. some kind of services application that he wanted to resell. He had some interest in it and managed to secure about £4000 up front from other interested parties who for their 'share' would get it at a reduced rate.
I do recall it was pretty much designed and running on his own machines at home.. but needed to go out in the world. This brought up the question of how to secure it, not easily stolen. Maybe some wannabe programmer/script kiddie employee might take a shine to it and pinch it for a looksee.
The money raised was already pencilled in for hosting/web designer/security/paperwork etc.
From memory it was to be licenced either at £250-£500 per month to use.. or pay per employee type licence. So I guess he could recoup any initials costs quite quickly. For his part as long as it was up and running and reports came out etc.. he got his money.. (even if he did no development for a month or two)
This is actually quite an old question, not sure why it started getting attention recently.. but thanks for all those who commented. Not sure how it all worked out... maybe he ended up hosting it from home via dedicated (leased) line on his machines.. who knows.
The Azure servers are still free for trials (they give you 3 months then a year IIRC), a small cost considering how much he has upfront for it
Ah, got bumped by a spammer, didn't notice! Happens from time to time here due to Hexus' very good Google rating.
Have to say, it sounds to me like your friend could easily have afforded a decent VPS, if not co-location, which would make the job of securing it much easier (i.e. he'd control all access to the server). But that level of investment is certainly a bigger risk than I was initially assuming, so perhaps obfuscation would be justified.
I've used dotfuscator before, and though not that powerful it's enough of a deterrent most of the time. Bonus, it's included with Visual Studio.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
